Windows 8 Secure Boot: Handy Malware Backdoor for Nosy Governments?

[qubit]

We've written before how Microsoft's new secure boot feature in Windows 8 could likely be used to shut out competition and create the ultimate in walled garden consumer lock-ins - something that is very undesirable from a competition, price and consumer choice viewpoint. However, it now appears that governments could lean on Microsoft in order to install secret snooping malware on user's PCs.

Ross Anderson, professor of Security Engineering at the University of Cambridge Computer Laboratory, has written in the Light Blue Touchpaper blog, about this issue. He starts off by explaining how secure boot could limit the purchase Metro apps to only the official Microsoft app store, saying. "Even if users can opt out, most of them won't. That's a lot of firms suddenly finding Steve Ballmer's boot on their jugular." That sounds very well put and really doesn't paint a pretty picture, does it? It's exactly the same tactic as all these firms that require you to opt out of receiving their junk mail, toolbars etc when installing software, knowing full well that the majority won't.

However, this control can turn from monopolistic to sinister, because governments could potentially lean on Microsoft to give them an official key in order to install malware on user's PC's, which could be next to impossible to remove. The particular example he gives is that of Tubitak, the Scientific and Technological Research Council of Turkey, saying that he has removed their key from his web browser, but how would he identify all foreign governments' keys?

We've also been starting to think about the issues of law enforcement access that arose during the crypto wars and that came to light again with CAs. These issues are even more wicked with trusted boot. If the Turkish government compelled Microsoft to include the Tubitak key in Windows so their intelligence services could do man-in-the-middle attacks on Kurdish MPs' gmail, then I expect they'll also tell Microsoft to issue them a UEFI key to authenticate their keylogger malware. Hey, I removed the Tubitak key from my browser, but how do I identify and block all foreign governments' UEFI keys?

Sounds nasty, doesn't it? This isn't something that anyone should want on their computer.

Anderson has also written an 8-page paper (PDF) entitled "Can We Fix the Security Economics of Federated Authentication?" which covers this problem in great detail.

The Free Software Foundation has also also started a petition against secure boot, which people are encouraged to sign.

View at TechPowerUp Main Site

 

[Halk]

Whatever they do will be reverse engineered and the technically adept user will be able to use and abuse whatever secure boot ends up offering...

However I don't accept that end users will be at the whim of governments spying on everything that they do, that doesn't seem like a realistic prospect.

 

[RejZoR]

This should be optional and available through a physical switch on a motherboard, so no malware can change it on its own. But if user wants this technology, they can enable it (or disable) at any time. This would be great actually. But if they plan to lock it out, it's just not gonna work. With so many great free and open source apps, there is no way of signing them all or demand special fees to get them ready for this closed ecosystem.

 

[qubit]

This should be optional and available through a physical switch on a motherboard, so no malware can change it on its own. But if user wants this technology, they can enable it (or disable) at any time. This would be great actually. But if they plan to lock it out, it's just not gonna work. With so many great free and open source apps, there is no way of signing them all or demand special fees to get them ready for this closed ecosystem.

Good points - please sign the FSF petition! Link at the bottom of the article.

 

[Frick]

Meh, the Government can do a lot of shit anyway.

And this is borderline editorial.

 

[Neuromancer]

Dont need windows 8 if you are running Intel equipment remote backdoor is built in

 

[qubit]

Dont need windows 8 if you are running Intel equipment remote backdoor is built in

I think you're thinking of vPro - and you're correct. It's right down to the chipset and CPU level, no software required. :shadedshu Dunno how you block this one.

 

[RejZoR]

I think you're thinking of vPro - and you're correct. It's right down to the chipset and CPU level, no software required. :shadedshu Dunno how you block this one.

You can block it by not buying Intel to begin with

 

[Easy Rhino]

Meh, this is a lot of ton-foil hat wearing nonsense. Using the words 'could likely' in this sense follows the same conspiratorial logic about the US government could likely fly planes into the twin towers. The ability of microsoft and other software companies to install backdoors in your software and hardware has been there for decades. Get over it people.

 

[Shihab]

^
+1 ... the twin tower incident was a Mossad/Russian joint op !
>_>

You can block it by not buying Intel to begin with

And end up using faildozer instead ? No thanq. I'll pick the spybot chip !
/jk

 

[qubit]

^
+1 ... the twin tower incident was a Mossad/Russian joint op !
>_>


And end up using faildozer instead ? No thanq. I'll pick the spybot chip !
/jk

Yes, it's a bit of a lose-lose situation, isn't it?

 

[Easy Rhino]

Yes, it's a bit of a lose-lose situation, isn't it?

You should probably prove something to be true before you go around boycotting it.

 

[qubit]

You should probably prove something to be true before you go around boycotting it.

I'm not actually boycotting Intel over this, just making the point that whether you go AMD or Intel, you lose something significant. With AMD it's performance and Intel it's privacy from government snoops. Choose your poison.

 

[Easy Rhino]

I'm not actually boycotting Intel over this, just making the point that whether you go AMD or Intel, you lose something significant. With AMD it's performance and Intel it's privacy from government snoops. Choose your poison.

there has been zero evidence that governments have been using intel chips to snoop on people.

 

[Wile E]

there has been zero evidence that governments have been using intel chips to snoop on people.

And even tho it's "hardware level", it can't work without the appropriate software. So it's still defeatable.

I agree, this is a bit on the paranoid side. Good point on possible security hole, but credibility goes down with the mention of the govt using it against us.

 

[Shihab]

there has been zero evidence that governments have been using intel chips to snoop on people.

How dare you question the conspiracy theory ! Now feel the wrath of the Illuminati !
No seriously, what's with all this paranoia going around ? Everyone thinks there's someone spying on them.

 

[Frick]

I agree, this is a bit on the paranoid side. Good point on possible security hole, but credibility goes down with the mention of the govt using it against us.

You really should read Qubit's other news posts.

 

[Easy Rhino]

Some paranoia is healthy. Evolution Scientists claim it is paranoia that has helped us survive as long as we have. This kind of paranoia though will land you in the looney bin.

We all know bad governments will use any means necessary to control the populace. Does that mean we should get rid of all digital technology now? Or, as the professor lays out, should we CREATE MORE government regulations to prevent the possibility of this happening. The irony is not lost on me.

 

[TRWOV]

We’ve written before how Microsoft's new secure boot feature in Windows 8 could likely be used to shut out competition and create the ultimate in walled garden consumer lock-ins...

Why is it "likely"? That "likely" isn't necessary in that sentence IMO.

 

[horik]

you can unplug your pc from the internet...

 

[Shihab]

you can unplug your pc from the internet...

The government have already countered that one -> free porn social networks.

 

[fusionblu]

This gets more worst; at first I thought this was both an anti-piracy and brutal marketing tactic to kill competition, but now Microsoft is helping governments worldwide snoop on all internet users and their activities, this is not acceptable!!! [SIGNED NOT TOO LONG AGO]

The government have already countered that one -> free porn social networks.

The only way that it can be countered is if someone uses someone else's wifi, but 9/10 users would probably access the wifi and uses services (MSN Messenger, Steam, etc) specific and identifiable the user themselves so even that method could be pointless overall.

 

[Frick]

This gets more worst; at first I thought this was both an anti-piracy and brutal marketing tactic to kill competition, but now Microsoft is helping governments worldwide snoop on all internet users and their activities, this is not acceptable!!! [SIGNED NOT TOO LONG AGO]

You see this is the problem with "qubit news". The post is full of potentials and maybes but people ignore that.

 

[Neuromancer]

And even tho it's "hardware level", it can't work without the appropriate software. So it's still defeatable.

I agree, this is a bit on the paranoid side. Good point on possible security hole, but credibility goes down with the mention of the govt using it against us.

I just brought it up to compare to people worrying about windows 8 backdoor.

Government does not NEED a backdoor into your PC, but vPro is pretty powerful.

you can remotely powerup a machine and even install OS! I have not looked into it in detail for some reason it does not get a lot of marketting, but I think it is one of the coolest features Intel has going (as well as the most troubling, as there is no BIOS option to disable it...)

 

[Eva01Master]

The question is simple, if the governments feels like taking a peek on their citizen's activities, they will do it and neither you or me (Common populace) will know about it. So it's borderline ridiculous to "sabotage" Microsoft, Intel or (Name of a leading tech company) because they push forward X or Y technology... All in all new technology is good to us end users because they innovate with a purpose but we're the ones which are able to wield those new technologies however we see fit.